b'                                                    OFFICE OF INSPECTOR GENERAL\n\n                                                                              MEMORANDUM\n\n\n\n\nDATE:          April 10, 2001\n\nTO:            Chairman\n\nFROM:          Inspector General\n\nSUBJECT:       Report on Internet Privacy and Web Cookies\n\nThe Office of Inspector General (OIG) has completed a Special Review of Internet Privacy and Web\nCookies. A copy of our Special Review Report, entitled \xe2\x80\x9cSpecial Review of Internet Privacy and Web\nCookies\xe2\x80\x9d is attached. This review was required by Section 646 of the \xe2\x80\x9cTreasury and General\nGovernment Act, 2001\xe2\x80\x9d (the Act). Section 646 of the Act states that \xe2\x80\x9cNot later than 60 days after the\ndate of enactment of this Act, the Inspector General of each department or agency shall submit to\nCongress a report that discloses any activity of the applicable department or agency relating to\xe2\x80\x94\n\n   (1) the collection or review of singular data, or the creation of aggregate lists that include\n       personally identifiable information, about individuals who access any Internet site of the\n       department or agency; and\n\n   (2) entering into agreements with third parties, including other government agencies, to\n       collect, review, or obtain aggregate lists or singular data containing personally\n       identifiable information relating to any individual\'s access or viewing habits.\xe2\x80\x9d\n\nFollowing passage of this legislation, representatives of the Department of Defense Office of Inspector\nGeneral (DOD IG) met with congressional staff to obtain an understanding of the intent of Section 646\nand to discuss expectations regarding the parameters of the review and individual reports. Based on\nthese discussions, the DOD IG prepared and distributed a list of agreed upon questions relating to\nInternet Privacy and Web Cookies. A listing of the agreed upon questions is included as Appendix 1 to\nour Special Review Report.\n\nThe objectives of this Special Review were to evaluate Commission practices related to Internet Privacy\nand Web Cookies and to provide a report to Congress on these practices. Specific objectives of the\nreview were to examine: 1) the purpose and use of cookies on FCC web pages, 2) the use of other\nInternet information collection devices, such as web bugs, 3) what categories of information are\ncollected on the FCC web site, 4) what personal information is collected when\n\x0c\x0c\x0c               Special Review of Internet Privacy and Web Cookies\n\n\n\n                               Table of Contents\n\n\n                                                                        Page\n\n\nEXECUTIVE SUMMARY                                                         1\n\n\nREVIEW OBJECTIVE                                                          3\n\n\nREVIEW SCOPE                                                              3\n\n\nBACKGROUND                                                                3\n\n\nOBSERVATIONS                                                              4\n\n\nAPPENDIX 1   Document entitled \xe2\x80\x9cPrivacy Issues for IGs to Examine\xe2\x80\x9d       11\n             Resulting from Discussions between the Inspector General\n             Community and Congressional Staff\n\nAPPENDIX 2   Management Response                                         12\n\x0cEXECUTIVE SUMMARY\n\nThe Federal Communications Commission (FCC) is increasingly using the Internet to\nconduct business and to disseminate information. For example, the Commission\ncurrently maintains several internet-based electronic filing (e-filing) systems that allow\nthe public to submit and/or review different types of filings related to FCC proceedings,\nrulemakings, tariffs, and official forms. However, although the use of the Internet for\ncommerce presents opportunities to improve the efficiency of Commission operations, it\nalso presents new and unique privacy challenges. Federal agencies are required to protect\nan individual\xe2\x80\x99s right to privacy when they collect personal information1 including a\nregulation on the use of cookies 2 . Cookies are small pieces of information that are stored\non a user\xe2\x80\x99s web browser3 that can be manipulated to surreptitiously collect personal\ninformation.\n\nOn December 14, 2000, Congress passed the \xe2\x80\x9cTreasury and General Government Act,\n2001\xe2\x80\x9d (the Act). Section 646 of the Act (Section 646) states that \xe2\x80\x9cNot later than 60 days\nafter the date of enactment of this Act, the Inspector General of each department or\nagency shall submit to Congress a report that discloses any activity of the applicable\ndepartment or agency relating to\xe2\x80\x94\n\n        (1) the collection or review of singular data, or the\n     creation of aggregate lists that include personally\n     identifiable information, about individuals who access any\n     Internet site of the department or agency; and\n\n       (2) entering into agreements with third parties, including\n     other government agencies, to collect, review, or obtain\n     aggregate lists or singular data containing personally\n     identifiable information relating to any individual\'s access or\n     viewing habits. 4 \xe2\x80\x9d\n\nFollowing passage of this legislation, representatives of the Department of Defense\nOffice of Inspector General (DOD IG) met with congressional staff to obtain an\nunderstanding of the intent of Section 646 and to discuss expectations regarding the\nparameters of the review and individual reports. Based on these discussions, the DOD IG\nprepared and distributed a list of agreed upon questions relating to Internet Privacy and\nWeb Cookies. In addition, the due date for the report to congress was extended to May\n2001. Please refer to Appendix 1, entitled \xe2\x80\x9cPrivacy Issues for IGs to Examine\xe2\x80\x9d, for a\ncopy of this list of the agreed upon questions.\n\n\n1\n    U.S. Office of Management and Budget, Memorandum 99-18, Privacy Policies on Federal Web Sites, June 2, 1999, p. 1.\n2\n     U.S. Office of Management and Budget, Memorandum 00-13, Privacy Policies and Data Collection on Federal Web Sites, June\n    22, 2000, p. 1.\n3\n    Cookies, 1998, URL: http://www.cookiecentral.com/cm002.htm (February 13, 2001).\n4\n     H.R. 5658, URL: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_bills&docid=f:h5658ih.txt. (February\n    15, 2001).\n\n\n\n                                                             1\n\x0cThe objectives of this Special Review were to evaluate Commission practices related to\nInternet Privacy and Web Cookies and to provide a report to Congress on these practices.\nSpecific objectives of the review were to examine: 1) the purpose and use of cookies on\nFCC web pages, 2) the use of other Internet information collection devices, such as web\nbugs, 3) what categories of information are collected on the FCC web site, 4) what\npersonal information is collected when people e-mail or submit questions to the agency,\nincluding how this information is protected, and 5) the distribution of personally\nidentifiable information to any party outside of government for any purpose. The scope\nof our review was limited to obtaining answers to the five questions that resulted from the\ndiscussions between the DOD IG and the congressional staff and performing limited\ntesting to verify the accuracy of Commission responses.\n\nDuring our limited review, we found that Commission was generally complying with\nFederal privacy laws and regulations. We identified two issues that needed corrective\naction. We identified one issue where the hyperlink text to the Internet privacy policy\nweb page could have been more clearly identified. When we informally notified the\nInternet Webmaster, this problem was corrected. We reviewed the appropriate web sites\nand confirmed that the FCC Webmaster implemented the change. The second issue\nrelated to the International Bureau Filing System\xe2\x80\x99s (IBFS) nondisclosure of its use of\ncookies. When we notified the IBFS system owner of this observation, the system owner\nstated that IBFS would disclose its use of cookies by adding a link to the Commission\xe2\x80\x99s\nPrivacy Notice.\n\nIn a response to the draft report, the Chief Information Officer (CIO) stated that \xe2\x80\x9cthe\nreport provides a comprehensive response to the questions asked during your review.\xe2\x80\x9d\nThe CIO suggested some minor edits, all of which we have incorporated into our report.\nWe have included a copy of the joint response in its entirety as Appendix 2 to this report.\n\n\n\n\n                                             2\n\x0cREVIEW OBJECTIVE\n\nThe objectives of this Special Review on Internet Privacy and Web Cookies were to\nevaluate Commission practices related to Internet Privacy and Web Cookies and to\nprovide a report to Congress on these practices. Specific objectives were to examine: 1)\nthe purpose and use of cookies on FCC web pages, 2) the use of other Internet\ninformation collection devices, such as web bugs, 3) what categories of information are\ncollected on the FCC web site, 4) what personal information is collected (and not\ndisclosed) when people email or submit questions to the agency, and 5) the distribution of\npersonally identifiable information to any party outside of government for any purpose.\n\nTo accomplish the objectives of the Special Review, we sent questionnaires and e-mails\nto the Chief Information Officer, the FCC Webmaster, and selected Bureau and Office\npersonnel. We examined selected FCC Internet web pages for privacy statements. We\nanalyzed the hyperlink text connecting appropriate Commission web pages to the pages\ncontaining the privacy information to determine if the privacy information was \xe2\x80\x9cclearly\nlabeled and easily accessed 5 \xe2\x80\x9d as required by Office and Management and Budget (OMB)\nMemorandum 99-18.\n\nREVIEW SCOPE\n\nThis project was conducted as a special review. A special review is meant to be a quick\nstudy of a process and, as such, was not conducted in accordance with all professional\nauditing standards. A special review was conducted in this case because of the time\nconstraints imposed by the legislation requiring the review.\n\nThe scope of our review was limited to obtaining answers to the five questions that\nresulted from the discussions between the DOD IG and the congressional staff and\nperforming limited testing to verify the accuracy of Commission responses. In addition,\nwe reviewed selected Commission Internet web pages that aided us in responding to the\ncongressional inquiry. No Commission Intranet sites were examined as part of this\nspecial review.\n\nThe special review was conducted at the Commission headquarters facility located at 445\n12th Street, Southwest, Washington, DC. Fieldwork on this special review was conducted\nfrom February 5, 2001 through March 16, 2001.\n\nBACKGROUND\n\nFederal agencies are required by law to protect an individual\xe2\x80\x99s right to privacy when an\nagency collects personal information. The Privacy Act of 1974, as amended, is the\nprimary law regulating the federal government\xe2\x80\x99s collection and maintenance of personal\ninformation. Other laws of general application that apply to the protection of personal\ninformation collected by the Federal government are the Freedom of Information Act\n\n5\n    U.S. Office of Management and Budget, Memorandum 99-18, Privacy Policies on Federal Web Sites, June 2, 1999, p. 1.\n\n\n\n                                                             3\n\x0c(FOIA), the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and\nthe Computer Matching and Privacy Protection Act of 1988 6 .\n\nOMB circulars and memorandums provide direction as to how federal agencies are to\nimplement these privacy laws. Appendices I and III of OMB Circular A-130 provide\nadvice to executive departments and agencies on protecting personal information. On\nJune 2, 1999, OMB issued Memorandum M-99-18 directing agencies to post privacy\npolicies on federal Web sites. On June 22, 2000, OMB issued Memorandum M-00-13\nproviding additional guidance relating to the collection of information by federal Web\nsites 7 . These OMB documents add details that assist departments and agencies in\nimplementing the laws related to privacy in the Internet environment.\n\nRecently, Congress added additional Web privacy requirements. As part of the Treasury\nand Appropriations Act of 2001, Congress included a section on Web privacy. This\nprovision, Section 646 of the Treasury and Appropriations Act of 2001 requires the\nInspector General of each department or agency to submit to Congress a report that\ndiscloses any activity of the applicable department or agency relating to: (1) the\ncollection or review of singular data, or the creation of aggregate lists that include\npersonally identifiable information, about individuals who access any Internet site of the\ndepartment or agency; or (2) entering into agreements with third parties, including other\ngovernment agencies to collect, review or obtain aggregate lists or singular data\ncontaining personally identifiable information relating to any individual\xe2\x80\x99s access or\nviewing habits for governmental and non-governmental Internet sites 8 .\n\nOBSERVATIONS\n\nOn December 14, 2000, Congress passed the \xe2\x80\x9cTreasury and General Government Act,\n2001\xe2\x80\x9d. Section 646 of the Act states that \xe2\x80\x9cNot later than 60 days after the date of\nenactment of this Act, the Inspector General of each department or agency shall submit\nto Congress a report that discloses any activity of the applicable department or agency\nrelating to\xe2\x80\x94\n\n        (1) the collection or review of singular data, or the\n     creation of aggregate lists that include personally\n     identifiable information, about individuals who access any\n     Internet site of the department or agency; and\n\n        (2) entering into agreements with third parties, including\n      other government agencies, to collect, review, or obtain\n      aggregate lists or singular data containing personally\n      identifiable information relating to any individual\'s access or\n\n6\n     United States General Accounting Office, Internet Privacy, Agencies\xe2\x80\x99 Efforts to Implement OMB\xe2\x80\x99s Privacy Policy\n    (GAO/GGD-00-191, September 5, 2000), p. 47.\n7\n    Ibid.\n8\n     HR 5658, Treasury and General Government Appropriations Act, 2001, December 14, 2000, URL: URL:\n    http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_bills&docid=f:h5658ih.txt. (February 15, 2001).\n\n\n\n                                                              4\n\x0c      viewing habits. 9 \xe2\x80\x9d\n\nFollowing passage of this legislation, representatives of the DOD IG met with\ncongressional staff to obtain an understanding of the intent of Section 646 and to discuss\nthe parameters of the review and report. Based on these discussions, the DOD IG\nprepared and distributed a list of agreed upon questions relating to Internet Privacy and\nWeb Cookies. In addition, the due date for the report to congress was extended to May\n2001. Please refer to Appendix 1, entitled \xe2\x80\x9cPrivacy Issues for IGs to Examine\xe2\x80\x9d, for a\ncopy of this list of the agreed upon questions.\n\nThis special review first focused on responding to the five questions on web privacy that\nresulted from discussions between the DOD IG and congressional staff. Those questions\nare restated with the FCC\xe2\x80\x99s response below. For each question, we obtained input from\nCommission Bureaus and Offices and prepared a consolidated response. In some cases,\nwe have added background information and information to clarify Bureau and Office\nresponses (e.g., description of session cookies versus persistent cookies). Where\nappropriate, we have provided a brief description of the steps taken to verify Commission\nresponses. In addition to providing a response to the five (5) questions that were agreed\nupon between DOD IG staff and congressional staff, we are reporting on another\nobservation we made on web privacy at the FCC.\n\nResponses to the Agreed Upon Questions and OIG Comments\n\n1. Cookies:\na. Follow up on GAO report last fall and their ongoing work..\n\nFCC Response and OIG Comments: The September 2000, report by GAO on Internet\nPrivacy stated that when an agency uses cookies, they must \xe2\x80\x9cmake clear\xe2\x80\x9d that they are\nusing cookies. OMB requires it to disclose the following information in their privacy\npolicies about the cookies and the information they collect:\n\n     1. What information is collected;\n     2. Why the information is collected; and\n     3. How the information will be used 10 .\n\nTo determine if the Commission complies with these regulations, we first determined if\nthe FCC had web pages that used cookies. Then we examined the Commission\xe2\x80\x99s Privacy\nNotice to determine compliance with OMB regulations.\n\nThe FCC uses session cookies to support the Universal Licensing System (ULS),\nConsolidated Database System (CDBS), Broadband Licensing System (BLS), Antenna\nStructure Registration, International Bureau Filing System (IBFS),\n\n\n9\n     Ibid.\n10\n     United States General Accounting Office, Internet Privacy, Agencies\xe2\x80\x99 Efforts to Implement OMB\xe2\x80\x99s Privacy Policy (GAO/GGD-\n     00-191, September 5, 2000), p. 12.\n\n\n\n                                                             5\n\x0cand Auctions applications. These applications use session cookies only to maintain state.\nThe session cookies are erased when the users web browser is closed. A transaction or\nsession, may involve a number of such information exchanges, each followed by a break\nin the connection. In order to maintain the state (a user\xe2\x80\x99s location during a web session)\nof a transaction, the FCC web sites may place session cookies in memory allocated to\nusers\' browsers. Session cookies permit the users to more efficiently perform\ntransactions when they are connected to the FCC web site. The session cookie may last\nthroughout the course of the transactions or sessions. However, session cookies are\nerased from the users\' systems when they close their browsers. No cookie remains on the\nuser\xe2\x80\x99s computer.\n\nThese session cookies collect one piece of information, the session id. This is used to\nmaintain state. These cookies are erased from the user\xe2\x80\x99s system when they close their\nInternet browsers.\n\nNo persistent cookies are used. Persistent cookies are those cookies that typically stay in\na user\xe2\x80\x99s browser for long periods of time 11 , even after the user web browser is closed.\nPersistent cookies are often used to track and gather personal data.\n\nAs part of our special review, we examined the ULS and the Antenna Structure\nRegistration applications and confirmed that the applications were using only session\ncookies. We also searched the hard drives of the computers used to access these systems\nand could not find any evidence of these session cookies.\n\nb. Where GAO found cookies being used and not disclosed, IG should go behind\n   that and ask what information is being collected and why.\n\nFCC Response and OIG Comments: Cookie usage is disclosed to users in the Privacy\nNotice section of the Disclosure Statement accessible from the FCC\xe2\x80\x99s home page,\nwww.fcc.gov/disclaimers.html. We verified that the disclosure statement is accessible\nfrom the FCC\xe2\x80\x99s home page. We also verified that the Privacy Notice is linked by a\nhypertext link to the Wireless Telecommunications Branch (WTB) home page,\nwww.fcc.gov/wtb, the e-filing home page, the Automated Reporting Management\nInformation System (ARMIS) page, www.fcc.gov/ccb/armis, the Bureau/Office page,\nwww.fcc.gov/bureaus.html, the Commissioners\xe2\x80\x99 home page,\nwww.fcc.gov/commissioners.html, the Major Initiatives page, www.fcc.gov/major.html,\nand the Releases and Updates page, www.fcc.gov/releases.html. The WTB and the e-\nfiling home pages are portals used to access the ULS, Antenna Structure Registration,\nand Auctions applications.\n\nThe Commission\xe2\x80\x99s Privacy Notice specifically addresses the issues posed in this question\n(i.e. where are cookies being used and not disclosed, and what information is being\ncollected and why). The text of the Commission\xe2\x80\x99s Privacy Notice is printed below.\n\n\n\n11\n     Webopedia, Cookies, URL: http://webopedia.internet.com/TERM/c/cookie.html. (March 16, 2001).\n\n\n\n                                                       6\n\x0c     Privacy Notice\n\n     The Federal Communications Commission provides this Internet site as a public\n     service. We do not obtain personally identifying information about you when you\n     visit this site unless you choose to provide such information to us.\n\n     The FCC posts a Privacy Act notice at those places on this site where the\n     Commission needs to collect any individually identifiable information for use by the\n     FCC.\n\n     Any information collected within the context of your email inquiry or comment is used\n     only for the expressed purpose of responding to your inquiry or comment. We collect\n     personally identifiable information only if specifically and knowingly provided by\n     you.\n\n     For site management, information is collected for statistical purposes. This\n     government computer system uses software programs to create summary statistics,\n     which are used for purposes such as assessing what information is of most and least\n     interest, determining technical design specifications, and identifying system\n     performance or problem areas. This information is not expressed in any form that\n     would reveal personally identifiable information.\n\n     The FCC provides numerous online software programs that support the Universal\n     Licensing System, Antenna Structure Registration, Auctions, and other FCC\n     functions. When a user visits the FCC web site to perform a transaction (sending an\n     application, initiating a query, receiving a query response, etc), the web server\n     receives data or sends a response and then may send a cookie before breaking the\n     connection with the user. A cookie is a small piece of software that is placed by a web\n     server on users\xe2\x80\x99 personal computers and is then used to personalize the site when a\n     visitor returns. A transaction or session, may involve a number of such information\n     exchanges, each followed by a break in the connection. In order to maintain the state\n     (where one is in the process) of a transaction, the FCC web sites may place session\n     cookies in memory allocated to users\xe2\x80\x99 browsers. Session cookies permit the users to\n     perform transactions as if they were connected to the FCC web site throughout the\n     course of the transactions or sessions. Session cookies are erased from the users\xe2\x80\x99\n     systems when they close their browsers 12 .\n\nAs part of our special review, we examined the IBFS application. During our review, a\nreply from the International Bureau disclosed that the IBFS application uses session\ncookies to maintain system state. However, we determined that IBFS does not disclose\ntheir use in its web pages or provide a link to a privacy notice. When we notified the\nIBFS system owner of this nondisclosure issue, the system owner stated that IBFS would\ndisclose its use of cookies by adding a link to the Commission\xe2\x80\x99s Privacy Notice.\n\n\n12\n      Federal Communications Commission, Policies and Notices, November 6, 2000, URL:\n     http://www.fcc.gov/disclaimers.html. (February 15, 2001).\n\n\n\n                                                           7\n\x0c2. Other information-collection devices (Web bugs, etc.):\na. Is personal information being collected and not disclosed?\n\nFCC Response and OIG Comments: Commission Bureaus and Offices indicate that\nthey do not use other collection devices such as web bugs. Our limited review of\nCommission web pages did not disclose any use of web bugs to collect personal\ninformation.\n\n3. General information collection:\na. In what instances do agencies collect personally identifiable information (e.g.,\n   names, addresses, phone, cell and fax numbers, social security numbers) via\n   Web sites (including information collected with the help of cookies or Web bugs,\n   as well as information collected when Web site users submit questions using e-\n   mail or other means) without disclosure? In such instances, exactly what\n   information is being collected and why?\n\nFCC Response and OIG Comments: The FCC collects names, addresses, phone\nnumbers, faxes, for its electronically and manually filed licensing, fee filing, complaint,\nand comment forms. The Commission Registration System (CORES) and the ULS\ncollect taxpayer identification numbers (TINs). TINs are nine digit numbers\ncorresponding to social security numbers (SSNs) and employer identification numbers\n(EINs). All information is provided on a voluntary basis for business applications and tin\nspecifically for the Debt Collection Act of 1996.\n\nCookies are used only to maintain session state, not to collect any information, including\npersonally identifiable information. Persistent cookies are not used.\n\nb. In such instances, where is the information stored, and are the archives\n   accessible to the public. Are these archives FOIA-able?\n\nFCC Response and OIG Comments: Commission Bureaus and Offices indicate that all\nelectronic information is stored in the FCC\xe2\x80\x99s databases and computers, either owned by\nthe FCC or managed by its contractors. All licensing information, with the exception of\nTIN, is accessible to the public via web applications and license searches. All data, with\nthe exception of TIN, can be obtained through a process established by the Freedom of\nInformation Act (FOIA).\n\n4. Public questions to agencies:\na. Is personal information collected (and not disclosed) when people email or\n   submit questions to the agency ? This issue applies only to personal information\n   collected for questions submitted by e-mail or via the Internet.\n\nFCC Response and OIG Comments: Five (5) FCC Bureaus and Offices replied that\nthey do not collect personal information, either by e-mail or through the World Wide\nWeb. Eight (8) others replied that they collect some personal information. Those\nBureaus and Offices that collect personal information indicate that this information is\n\n\n\n                                             8\n\x0ccollected by the sites while performing day to day Commission activities such as license\nfiling via the Internet or responding to e-mail queries by consumers. This information is\ncollected for valid business related purposes such as implementing Commission policies\nand procedures and providing consumers with accurate and timely information to resolve\ntheir complaints in an effective and amicable manner.\n\nPersonal information, such as name or address, may be disclosed, in some instances, as\npart of the administration of the Commission\'s policies, programs and rules. For\nexample, the name and address of the holder of a license may be disclosed electronically\nas part of the Commission\xe2\x80\x99s policy to allow the general public, members of the industry,\nand state regulatory agencies, among others, to have access to this information.\nElectronic access is an outgrowth of the Commission\xe2\x80\x99s policy of allowing public access\nto this information through such mechanisms as the Commission Reading Room.\nSensitive information, such as TIN information, is not disclosed. All data, with the\nexception of TIN information, can be obtained via the FOIA process.\n\nThe Commission\xe2\x80\x99s e-filing Internet applications collect personal data, including names\nand addresses. For example, the electronic tariff filing system (ETFS) of the FCC\xe2\x80\x99s\nCommon Carrier Bureau (CCB) collects information on filers of tariffs. CCB classifies\nETFS data as tariffs, not as "questions to the agency." Tariffs are filed so that the public\ncan examine and challenge them. Therefore, it is not possible for the ETFS filers to\nbelieve that the information would be held in confidence. Other licensing applications\nare also filed with the knowledge the public can examine and often challenge them.\n\n5. Third parties\na. Provide examples of agency/administration agreements, if any, with third parties\n   to collect data containing personally identifiable information relating to an\n   individual\'s access or viewing habits? If so, can you provide us details about\n   such agreements?\n\nFCC Response and OIG Comments: Commission Bureaus and Offices report that they\ndo not have any agreements with third parties to collect data containing personally\nidentifiable information relating to an individual\'s access or viewing habits.\n\nDuring our special review, we did not find any instances of agency/administration\nagreements with third parties to collect data containing personally identifiable\ninformation relating to an individual\'s access or viewing habits.\n\nb. Disclose any instances where personally identifiable information was sold, given\naway, or distributed by government agencies (or their contractors) to any party\noutside of government (including contractors) for any purpose, and find out why\nsuch information was distributed.\n\nFCC Response and OIG Comments: Commission Bureaus and Offices did not report\nany instances where personally identifiable information was sold, given away, or\n\n\n\n\n                                              9\n\x0cdistributed by government agencies (or their contractors) to any party outside of\ngovernment (including contractors) for any purpose.\n\nDuring our special review, we did not find any instances where personally identifiable\ninformation was sold, given away, or distributed by government agencies (or their\ncontractors) to any party outside of government (including contractors) for any purpose.\n\nRelated Web Privacy Observation\n\nIn general, the Commission is complying with the web privacy policies as enunciated in\nthe applicable public laws and OMB documents. The Privacy Statement found at\nhttp://www.fcc.gov/disclaimers.html meets OMB standards. Also, the FCC has limited\nits use of cookies and other programs to the acceptable, non-intrusive session cookies.\n\nHowever, we found one problem with the labeling of the privacy statement on the FCC\'s\nhome page and other pages, such as the e-filing page. Appendix I to OMB Memorandum\n99-18 requires that privacy policies must be clearly labeled and easily accessed when\nsomeone visits a web site. In a September, 2000 report on Internet privacy, the GAO\ndefined the term "clearly labeled.\xe2\x80\x9d The GAO stated that hypertext links to Privacy\nStatements must include the word "privacy13 .\xe2\x80\x9d The hypertext links to the FCC\'s Privacy\nStatement, such as the one on the Commission\'s home page, do not use the word\n"privacy." We are suggesting that these links incorporate the word privacy in their text,\nA possible modification could read \'Web Site Policies and Notices, including Privacy.\'\n\nWe notified the Webmaster of our observation. He immediately changed the wording on\nthe home page to read "Web Site Policies, Notices & Privacy Statement" and stated that\nhe will change it on the rest of the non-bureau/office-specific pages as soon as possible.\nAlso, he will request that the bureaus make a similar change to the pages that they\ncontrol.\n\nOn February 15, 2001, we confirmed that the hyperlink text to the privacy statement\nnotice read "Web Site Policies, Notices & Privacy Statement." With the implementation\nof the revised wording on the FCC\xe2\x80\x99s home page, we consider this matter to be closed.\n\n\n\n\n13\n     United States General Accounting Office, Internet Privacy, Agencies\xe2\x80\x99 Efforts to Implement OMB\xe2\x80\x99s Privacy Policy (GAO/GGD-\n     00-191, September 5, 2000), p. 37.\n\n\n\n                                                             10\n\x0c                                                                              Appendix 1\n\n\n                    PRIVACY ISSUES FOR IGs TO EXAMINE\n\nA. Cookies\n\n   1. Follow up on GAO report last fall and their ongoing work.\n\n   2. Where GAO found cookies being used and not disclosed, IGs should go behind\n      that and ask what information is being collected and why.\n\nB. Other information-collection devices (Web bugs, etc.)\n\n   1. Is personal information being collected and not disclosed?\n\nC. General information collection\n\n   1. In what instances do agencies collect via Web sites personally identifiable\n      information (e.g., names, addresses, phone, cell and fax. numbers, social security\n      numbers) by any means when that is not disclosed? In such instances, exactly\n      what information is being collected and why?\n\n   2. In such instances, where is the information stored, and are the archives accessible\n      to the public? Are these archives FOIA-able?\n\nD. Public questions to agencies\n\n   1. Is personal information collected (and not disclosed) when people email or submit\n      questions to the agency?\n\nE. Third parties\n\n   1. Provide examples of agency/administration agreements with third parties to\n      collect data containing personally identifiable information relating to an\n      individual\xe2\x80\x99s access or viewing habits.\n\n       1. What happened at the Forest Service? (See GAO report).\n       2. What happened at ONDCP?\n\n   2. Disclose any instances where personally identifiable information was sold, given\n      away, or distributed by government agencies (or their contractors) to any party\n      outside of government (including contractors) for any purpose, and find out why\n      such information was distributed.\n\n\n\n\n                                           11\n\x0c\x0c'